Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Defends Passport To Privacy Group

Posted by timothy on from the just-look-at-that-shine dept.

securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."

5 of 250 comments (clear)

  1. some sites _refuse_ passport users... by bergeron76 · · Score: 3, Interesting

    Like this one. They won't allow users to use Passport authentication to buy thier goods, and they posted info about why. What better way to prevent users from using MSPassport, than to send consumers mixed signals about being able to use it.

    --
    Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
  2. Aggregation is a bigger concern by coyote-san · · Score: 5, Interesting

    Information leaking from one site is annoying, esp. if it's something like a credit card number, but it's nothing compared to aggregated information being leaked.

    As a silly example, let's say you buy rat poison. No big thing, people buy it all the time.

    Let's say you buy a book about "perfect murders... and how they were caught." No big deal, people buy true crime books all the time.

    Now let's say you recently bought a bunch of lingerie. And had it delivered. But not to your home address. You're having an affair, sleazy, but not unheard of.

    Now finally let's toss in the fact that you just consulted a lawyer. A divorce lawyer. One who specializes in breaking prenuptial agreements.

    Suddenly things are much more interesting.

    Most of us aren't planning to murder our spouse, or even to look like we're thinking about it. But it's certainly possible for mindless data aggregation to cause people to jump to the wrong conclusion. E.g., you bought a couple books on alcoholism, and a few cases of wine? You obviously have a problem, don't you. (Nope, the wnie is a gift to newlyweds and the book is to help me understand if my nephew needs help.) Etc and so forth.

    Even with all of this information centralized with Microsoft (and make no mistake that the Passport/Hailstorm system will not collect this information), my biggest concern isn't that it will be leaked. My concern is that it will have bogus information feed into it. There's a nice market opportunity for nasty companies to put bad information into these records, then offer to clean it up for you. For a modest price, of course. All of the potential damage of a credit report, but with none of the legal safeguards.

    Of course, that same problem exists today with the aggregated data provided by from credit card companies, but again it isn't a *single* point of failure. Even if you crack Citibank (still the largest CC issuer?), it does nothing about the hundreds of millions of people who don't have Citibank cards. But crack Hailstorm and you'll have information on almost everyone online.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
    1. Re:Aggregation is a bigger concern by Rogerborg · · Score: 3, Interesting
      • But crack Hailstorm and you'll have information on almost everyone online.

      But not on me or thee, I assume. So, why do we care? Let the Microserfs sign up and get raped, let M$ take the flak, then once the principle is in place, we develop an open source (security through transparency) alternative and (here's the good bit) lobby for a consortium of Big Businesses to get together and themselves lobby for the gubmint (any gubmint, heck, pick a sensible one that everybody likes like New Zealand) to take it and administrate it.

      --
      If you were blocking sigs, you wouldn't have to read this.
  3. Re:One password, multiple accounts, low security by vsync64 · · Score: 3, Interesting
    Keyring for PalmOS. This thing is perfect. Set up an account, generate a new random password. Then I look up the password the first few times I need to access the account (it helps that my Visor is always either on the desk or clipped to my belt). After that, it's burned into my brain.

    The funny thing is, I don't know if it uses some kind of mnemonic algorithm like VMS's password generator does, but I find the generated passwords to be very rhythmic and easy to remember. I'd give an example of my favorite, but then I'd have to change my credit card password :P. Of course, it may just be something peculiar about how my mind works; I've always found it very easy to remember arbitrary number sequences when they are used frequently in my daily life (phone numbers, IBM PC color codes, &c)

    --
    TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
  4. Re:Single Point of Failer, but needed... by jcr · · Score: 3, Interesting

    >Either way, a centralized system is needed for identification.

    Um, NO.

    In fact, HELL NO.

    Apple's got something called the "Key Ring", which keeps all of your passwords in a strongly-encrypted file, on your OWN machine.

    Not only that, every time an app (such as a web browser) wants one of your passwords, the Keyring, NOT the app, ASKS you if it can release it. (This is subject to a user preference, of course.)

    You get the benefit of single sign-on (i.e, you only need to remember the passphrase to your keyring), and you can also use *truly* random passwords on all of the sites/services out there. If your login is B1378gHz##/74u9%z, it's a whole lot less likely to fall to a dictionary attack.

    Single sign-on is a good idea. MicroSquish passport is just about the worst way I can think of to implement it.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."